Rewterz Threat Alert – Emotet Malware – IoCs

Severity

High

Analysis Summary

Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.

Impact

Financial loss

Indicators of Compromise

SH256

• 19af5bfb8decc32253875836c39031a7e8258d167af7d0332527d0bcecb0c2b2
• 1a762540a795a8daa194322648a2d0072ed65da6e961989b284c31cb57f68405
• 226a36d5c22d1222e1a29d9b1eb8a072e39c5901c7b34654dc303ee6aa19f577
• 252dc0a071edf76775a0a954287fc0cc7ebb45e6f6849f210f747027d5cdeaf1
• 47699a9bb49acddb8c3ccc90dd7059d9677c2337878972d289fe8b656d44119d
• 56524c7f2264ebf2f309fc400eac6016df092c75c6871669d141fcab966fdb10
• 66f0b3b78d41b0164d680f850808ae9133b8f01746662292209aa32588e5db08
• 872e9f66d27895a16d84e9c2ab50708693dd85ae47ad01ccd62b884bfbb2ad56
• a35c5cd847e920a0655e99c9886aab94c91a190b3d0ef81d077e91840aa7c17b
• a3f8cb08735b481402bbe20ac0b2acfb827feac8f62d9d37db3aee0ae03c826f
• a9b18b8eb2f84bac3e831bcead88b525e623e0a3b7c71fc54130b99b3c12969f
• b6e62040ec8b2a92762f654d7f561c761235d6cb688e476c45e96b5355154759
• cb1418e28836dca5fb61a788ce324e9e4d1c3b1e4de6cdada721786f4ea8e12c
• e6d81855312d026966d95dd51dc09a23fa743d21bb2edb4f8943d767fff54a25
• eaa809f6ebdc3ddceba5b7d61bfe29db87f098a4c7bec05243c59df51406dfa1
• ffa68a8f6da85239d67cc3900d6ec7c573ae607cd9061389b260c2f5034dd4a0

URL

• http[:]//altruisme[.]id/wp-admin/vZKnZqjMqsPuwinXFnaBOzVfQe/
• http[:]//apple-doctor[.]co[.]kr/wp-includes/57ue8yxbj9cnltpw79ovgprc79mcgfwrg3g/
• http[:]//blog[.]nalanchenye[.]cn/sjnx/ev7j3w2wuzw9c06sfnsl1pkxomci0k8tx/
• http[:]//blog[.]yaobinjie[.]top/wp-admin/97e4bgd1ipa2xkuy2nmk5ebueof2rugff7/
• http[:]//garatuonline[.]es/wp-admin/ayr56gh65xnuncin8l0ddkngn0gkt2/
• http[:]//giftcatelogz[.]com/wp-admin/cb10wpgm89ysnysitilbbd084/
• http[:]//jftwebmarketing[.]com/mcc/yrjdo5ui3iuvfcu9e1svri/
• http[:]//korekortviborg[.]dk/wsxq66h/mnWlDLjshjGVzx/
• http[:]//mynet07[.]com/wp-admin/bFEYqYEGLBypImyyjc/
• http[:]//nirvana-memorial[.]co[.]th/cgi-bin/ih929uqqn27650xrm/
• http[:]//puskesmasmanguharjo[.]madiunkota[.]go[.]id/hfoiawj24jr/zUbarcSMvgXc/
• http[:]//quangcaogiaodich[.]com/wp-content/upgrade/jzkowiu4uobwywynyj7/
• http[:]//sabzoabi[.]ir/abiosabz[.]ir/mj4qdtd83jid8ibxg9awoe/
• http[:]//shreeharisales[.]org/wp-admin/oLJDQSyjhXrWuCkCUhpHETW/
• http[:]//test[.]oeag[.]at/lare/xzfjglc0ygmm5869qhjlbil/
• http[:]//www[.]awardglobal[.]cn/gsae9da/98ner0e6ynm8wp4jkyrnm4sixrufzjkddvg9/
• http[:]//www[.]cyberoceans[.]ng/cgi-bin/5aua6r6yif7oi2adx2uvh3bq459429hape6ju/
• http[:]//www[.]digitalsushi[.]it/wp-admin/MQlQnlzmtaX/
• http[:]//www[.]dolphininsight[.]it/wp-includes/wIAxwfTVtpEDixSmDMrVE/
• http[:]//www[.]dty5[.]com/aqs2q/i0vzxgxwb2qyiwopfw5x0xghz86b1/
• http[:]//xe-logistics[.]com/san/lba70p8gsncc1fi4wy3cwugxbjrk/

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.